Is this application or information collection new or is an existing one being modified? Existing
Does this application collect, maintain, and/or disseminate information in identifiable form (IIF)? Yes
Mission Program/Project Supported: NASA Office of Security and Program Protection/NASA Office of the Chief Information Officer

Provide an overview of the application or collection and indicate the legislation authorizing this activity.
The National Aeronautics and Space Administration Security Records System is a Privacy Act system of records to document, track, manage, analyze, and/or report on individuals accessing NASA resources. Routine uses of this system of records will be to determine eligibility to access classified national security information; to maintain a record of identification documentation provided to NASA as proof of an individual’s identity; to establish contact with an employee’s next-of-kin in the event of a mishap involving the employee; to provide personal identifying data to Federal, State, local or foreign law enforcement representatives seeking confirmation of identity of persons under investigation.

Describe the information the agency will collect, maintain, or disseminate and how the agency will use the information. In this description, indicate whether the information contains IIF and whether submission is voluntary or mandatory.
Records in this system include information about the individuals seeking access to NASA resources.Information about an individual may include, but is not limited to: name, home address, place of birth and citizenship, U.S. visitor/travel document numbers, employment information, Tax Identification Numbers (Social Security Number), description of the individual (height, weight, hair color, et al.)Submission of requested information is voluntary.

The records in this system of records are intended for the sole use of the U.S. Government and its contractors who support U.S. Government operations, policies, laws and regulations, as well as State, local and foreign law enforcement representatives seeking confirmation of identity of persons under investigation.

The Agency will use the information to conduct and document security violations and supervisory actions; ensure the safety and security of NASA facilities, systems, or information, and Agency occupants and users; enable contact with an employee’s next-of-kin in the event of a mishap involving the employee; complete the NASA identity proofing and registration process; create data records in the Personal Identity Verification (PIV) Identity Management System (IDMS); issue PIV cardsto verify that individuals entering federal facilities, using federal information resources, or accessing classified information are authorized to do so; track and control issued PIV cards.

Although fingerprints are collected, they are at once electronically transmitted to the Federal Bureau of Investigation (FBI) as part of a background investigative package in accordance with 42USC14616.Further, as required by FIPS-201 (Personal Identity Verification (PIV) of Federal Employees and Contractors), the fingerprints are encoded on the PIV card and held in an encrypted container.Immediately upon fulfilling these two requirements, NASA purges the collected fingerprints from the system. Thus, NASA does not maintain any fingerprints in any database, or any other system. Should a PIV card become lost, or damaged, biometrics must be recaptured because they are not stored in any NASA system.

See Federal Register System of Record Notice (SORN) NASA 10 SECR and Attachment A to this PIA.

Is submission of the IIF mandatory?
Submission of requested information is voluntary.Failure to submit requested information could result in NASA’s inability to fulfill Agency requirements as set forth in Federal Information Processing Standards Publication 201 (FIPS-201), and could result in the individual’s request for access to NASA physical and/or Information Technology resources being turn down.

Explain how the IIF collected, maintained, and/or disseminated is the minimum necessary to accomplish the purpose for this effort.
The information is collected directly from the individual.To achieve the objectives of the system, only the IIF information necessary to positively identify an individual; perform national criminal database checks; identify emergency notification information; and to maintain a history of traffic incidents on NASA facilities is obtained from individuals.This information may be shared with other Federal, State, local and foreign government agencies only as authorized by applicable laws and regulations.

See Federal Register System of Record Notice (SORN) NASA 10 SECR

Is a Privacy Act notice provided to the individual at the time information is collected? Yes
If yes, provide or attach the Privacy Act Statement.If notice is not provided, why not? The Privacy Act notice is currently being revised to ensure greater adequacy.

Privacy Act Notice
General - Pursuant to the, Privacy Act of 1974, as amended (5 U.S.C. 552a), and the National Aeronautics and Space Act, 42 U,S.C. § 2451 et seq., the following information is being solicited and collected for use in conjunction with the NASA Security Records System know as NASA 10SECR.

Purposes and Uses - The primary use of information collected on this form will be for the issuance of NASA badges.In addition, state, local, or Congressional offices which have a need to know in connection with program oversight or when relevant to civil, criminal, administrative, or regulatory investigations or proceedings. Additional uses are set forth and published in 10SECR at 49 FR 39742 (Dec. 13, 1999) and the standard uses as listed in Appendix B.

Effect of Nondisclosure - Failure to provide your Social Security Number (SSN) will result in NASA's inability to issue an Agency identification badge, as required under NPD 1600 "NASA Security Policy."This may result in your disqualification from performing particular work or duty assignments, or from the position that you currently hold.Disclosure of your SSN is MANDATORY in order to obtain a NASA badge.Executive Order 9397 authorizes the use of the SSN to distinguish between you and other people who may have identical names and birth dates.The SSN will be used to match the person completing this form with the correct individual master record currently maintained in NASA 10SECR.

The IIF information is only disseminated to other government agencies as authorized by applicable laws and regulations for purposes outlined below and provided in the Routine Uses of the SORN.

(See Federal Register System of Record Notice (SORN) for NASA 10 SECR.)

Identify with whom the agency will share the IIF.
Routine uses of the records containing IIF are as follows:

A record from this system may be disclosed to:

To the Department of Justice when: (a) the agency or any component thereof; or (b) any employee of the agency in his or her official capacity; (c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records.

To a court or adjudicative body in a proceeding when: (a) the agency or any component thereof;(b) any employee of the agency in his or her official capacity; (c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.

Except as noted on Forms SF 85, 85-P, and 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether Federal, foreign, State, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity.

To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.

To a staff member of the Executive Office of the President in response to an inquiry from the White House.

To the National Archives and Records Administration or to the General Services Administration for records management inspections conducted under 44 U.S.C. §§ 2904 and 2906.

To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. § 552a.

To other Federal agencies and relevant contractor facilities to determine eligibility of individuals to access classified National Security information.

To any source or potential source from which information is requested in the course of an investigation concerning the retention of an employee or other personnel action (other than hiring), or the retention of a security clearance, contract, grant, license, or other benefit, to the extent necessary to identify the individual, inform the source of the nature and purpose of the investigation, and to identify the type of information requested.

To any official investigative or judicial source from which information is requested in the course of an investigation, to the extent necessary to identify the individual, inform the source of the nature and purpose of the investigation, and to identify the type of information requested.

To a Federal State, local, foreign, or tribal or other public authority the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit.The other agency or licensing organization may then make a request supported by the written consent of the individual for the entire record if it so chooses.No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another Federal agency for criminal, civil, administrative personnel or regulatory action.

To the news media or the general public, factual information the disclosure of which would be in the public interest and which would not constitute an unwarranted invasion of personal privacy, consistent with Freedom of Information Act standards.

To a Federal State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.

To notify another federal agency when, or verify whether a PIV card is longer valid.

See Federal Register System of Record Notice (SORN) NASA 10 SECR

Describe how the IIF will be obtained, from whom it will be collected, what the suppliers of information and the subjects will be told about the information collection, and how this message will be conveyed to them (e.g., written notice, electronic notice if a Web-based collection, etc.). Describe any opportunities for consent provided to individuals regarding what information is collected and how the information will be shared.
The IIF will be solicited directly from the individual. The individual will be advised of the authority and purposes for collecting this information as stated in 1-5 above.The information may be provided in written form, usually by the use of an approved OMB Standard Form (e.g., SF-85, SF-85P or SF-86).Individuals grant consent to the collection by providing the requested information.

Employers’ and former employers’ records; FBI criminal history records and other databases; financial institutions and credit reports; medical records and health care providers; educational institutions; interviews of witnesses such as neighbors, friends, co-workers, business associates, teachers, landlords, or family members; tax records; and other public records.Security violation information is obtained from a variety of sources, such as guard reports, security inspections, witnesses, supervisor’s reports, audit reports.

State whether personal information will be collected from children under age 13 on the Internet and, if so, how parental or guardian approval will be obtained. (Reference: Children’s Online Privacy Protection Act of 1998)
Information will not be collected from children.

Describe how the IIF will be secured.
The IIF will be secured using procedures set forth in NIST SP 800-18, NIST SP 800-53 and NIST SP 800-30.

Describe plans for retention and destruction of IIF.
NASA Records Retention Schedule (NRRS) 1/Item 103, NRRS 2/Item 4B2, NRRS 6/Item 11B, and General Records Schedule 18/Item 22a provide for the retention of the records for a period not to exceed 5-years from termination date.At that point, the records will be removed from the system, and all media with the data either overwritten or destroyed.

Identify whether a system of records is being created under section 552a of Title 5, United States Code (the Privacy Act), or identify the existing Privacy Act system of records notice under which the records will be maintained.
NASA 10 SECR is being updated.

Identify the procedures individuals must follow to gain access to their own information:
Individuals should follow the Record Access Procedures specified in NASA 10SECR.Specifically, Personnel Security Records compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, Federal contracts, or access to classified information have been exempted by the Administrator under 5 U.S.C. 552a(k)(5) from the access provisions of the Act.

Personal Identity Records:Requests from individuals should be addressed to the same address as stated in the Notification section in NASA 10SECR.

Emergency Data Records: Requests from individuals should be addressed to the same address as stated in the Notification section in NASA 10SECR.

Criminal Matter Records compiled for civil or criminal law enforcement purposes have been exempted by the Administrator under 5 U.S.C. 552a(k)(2) from the access provision of the Act.

Traffic Management Records: Requests from individuals should be addressed to the same address as stated in the Notification section in NASA 10SECR

What are the procedures for correcting information?
Procedures are specified in 14 CFR.1212.

Do individuals have the right to consent to particular uses of the information?
Through the NASA Systems of Record Notice (NASA 10 SECR) published in the Federal Register and the Privacy Act Statement provided at the time data are collected, NASA has informed individuals of the purpose of its collection.By providing the information, the individual concurs with the uses of the information as published in the Federal Register and this PIA.Individuals are not given the ability to determine individual uses for the information collected.

Data Protection ControlsGeneral Program Controls

NASA has detailed badge/card issuance procedures which has been approved by the headquarters Office of Security and Program Protection (OSPP), and distributed to each Center/facility issuing badges/cards.

The applicant appears in-person at least once before the issuance of a badge/credential.

The identity proofing, registration and issuance process adheres to the principle of separation of duties to ensure that no single individual has the capability to issue a credential without the cooperation of another authorized person.

NASA issues badges/credentials only through systems whose reliability has been established by the agency and so documented and approved in writing.

A comprehensive PIA is conducted on systems containing personal information in identifiable (IIF) form for implementing PIV, consistent the E-Government Act.

NASA has generated a SORN identifying the type of information collected, the purpose of the collection, how the information is protected, and the complete set of uses of the credential and related information during the life of the credential.

NASA assures that systems containing IIF for the purpose of enabling the implementation of PIV are handled in full compliance with the Privacy Act.

NASA ensures that only personnel with a legitimate need for access to IIF are authorized to access the IIF, including but not limited to information and databases maintained for registration and credential issuance.

NASA coordinates with appropriate department or agency officials to define consequences for violating privacy policies of the PIV program.

NASA has categorized the system risk level (as specified in FIPS 199) and utilizes security controls described in NIST SP800-53, Recommend Security Controls for Federal Information Systems, to accomplish privacy goals, where applicable.

What are the controls on data exchange and integrity of the credential?
The agency follows all applicable government-wide standards for controlling and protecting information systems (see NIST SP800-53). Specific controls are described below.

System security:The controls include network security and limited access to system and physical facilities.Program controls include protecting data through the >use of FIPS validated cryptographic algorithms in transit, processing and at rest.

Networks: The IT infrastructure that supports security programs is described in detail in associated IT Security Plans. All data exchange takes place over encrypted data communication networks that are designed and managed specifically to meet the needs of the Security program.Private networks and or encryption technologies are used during the electronic transfer of information to ensure “eavesdropping” is not allowed and that data is sent only to its intended destination and to an authorized user, by an authorized user.

Data Storage Facilities:Facilities and equipment are secured by limiting physical access to the workspace and system, and by requiring an appropriate verification of identity for logical access to the system.

Equipment: User Identification: PIV cardholders are authenticated to access the PIV system using, at a minimum, two-factor authentication based on their role and responsibility.A required component (first factor) of this authentication is the PIV card itself.In combination with the PIV, the second factor of this authentication requires a personal ID number (PIN), and/or biometric (e.g., fingerprint).

User Groups: System/application users have varying levels of responsibility and are only allowed to access information and features of the system appropriate for their level of job responsibility and security clearance.These rights are determined by the identification provided when authenticating (i.e., user identification) to the system as described above.

Network Firewall: Equipment and software are deployed to prevent intrusion into sensitive networks and computers.

Encryption: Sensitive data are protected by rendering it unreadable to anyone other than those with the correct keys to reverse the encrypted data.

Access Control: Access to data is PIN protected.

Audit Trails: Attempts to access sensitive data are recorded for forensic purposes if an unauthorized individual attempts to access the information contained within the system.

Recoverability: The system is designed to continue to function in the event that a disaster or disruption of service should occur.

Physical Security: Measures are employed to protect enrollment equipment, facilities, material, and information systems that are part of the PIV program.These measures include: locks, ID badges, fire protection, redundant power and climate control to protect IT equipment that are part of the PIV program.

System users/operators are officially designated as agents of the specific NASA facility and complete a training process associated with their specific role in the PIV process.

Separation of Duties Controls: As specified by NIST SP 800-79, duties associated with the issuance of badges/credentials meeting FIPS-201 requirements are separated to insure roles do not overlap.

Security of ID credential issued to an employee or contractor is achieved by full compliance with the mandatory requirements of the Federal Information Processing Standard Publication 201 (FIPS Pub 201), Personal Identity Verification of Federal Employees and Contractors. Specific safeguards include:

Card issuing authority limited to providers with official accreditation pursuant to NIST Special Publication 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

Cards use at least one visual tamper proof feature such as holograms, watermarks, etc.

Card data is encrypted and stored on the card

Employees are alerted to importance of protecting card

Card expiration within 5 years from issuance

Return of cards to agency when no longer needed (or upon employee/contractor separation from the agency)

Deactivation of card within 18 hours (the latest) of employee/contractor separation, loss of card, or expiration

Removal of all IIF associated with the cardholder from the system upon deactivation.

Specialized role-based training for all persons involved in the PIV process

Who will have access to the information?
Individuals listed in questions 18 and 40 of this PIA who include authorized information technology (IT) personnel or contractors (pursuant to an appropriate routine use) who handle the operations and maintenance of the system will have limited access to the system to support the credentialing activity as well as trouble shoot technical system issues encountered on a day-to-day basis.Additionally, as authorized by Section (b) (1) of the Privacy Act, disclosures may be made to officers and employees of the Agency which maintains the record who have a need for the record in the performance of their duties.

Are written procedures in place identifying who may access the system?
All NASA employees and assigned contractor staff with access to security systems containing IIF will receive appropriate privacy and security training, and have any necessary background investigations and/or security clearances for access to sensitive, privacy or classified information or secured facilities.Personnel will only have access to IIF information as part of their official duties within NASA and must first be approved by the Center Chief of Security prior to being granted access.

What technical and/or operational controls are in place to prevent misuse of data by those having access?
By design, and for security and privacy reasons, no enrollment data is stored at or by the enrollment workstation or center.The enrollment record can only be viewed or retrieved by a NASA enrollment official or PIV issuer who is trained and authorized to perform enrollment activities.The ability to retrieve or view an employee’s enrollment record is controlled by user authentication, which ensures only those with a need to access the data and who possess proper training can retrieve or view enrollment information.In addition to this access control, physical privacy protections will be used. These physical protections include the use of “Privacy Screens” that prevent passers-by from viewing enrollment record information that may be displayed on the enrollment center workstation.Additionally, the enrollment center’s physical security controls will be enforced to ensure that only NASA employment officer or PIV issuer with a need for access can enter the enrollment center and view personal information displayed on screens.

What decisions were made concerning this system as a result of conducting this assessment?
The storage location for system backup files is under reconsideration.

Update Privacy Act Statement provided to individuals at the time of information collection.

Contingent on the elements listed above and the satisfaction of all applicable Directives, OMB Guidance, and NIST standards and requirements, the privacy controls related to the system this PIA covers is considered adequate.